Skip to content

fix(ssg): Add URL parsing validation and restrict to loopback/internal IPs #4141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from

Conversation

wiseaidev
Copy link
Contributor

Fixes #4137

Verified

This commit was signed with the committer’s verified signature.
wiseaidev Mahmoud 🦀
…l IPs

- Validate URL scheme to allow only http/https
- Ensure host and port are present and resolve successfully
- Restrict resolved IPs to loopback or unspecified (e.g. 127.0.0.1, ::1, 0.0.0.0)
- Prevents SSRF by disallowing external address access during route rendering
@wiseaidev wiseaidev requested a review from a team as a code owner May 19, 2025 08:22
@jkelleyrtp
Copy link
Member

As mentioned in #4137, the fact that SSG runs your app's executable when --ssg is passed to pre-generate routes from the /static-routes endpoint is NOT a security issue.

The vector outlined here:

Agree, but the vulnerability exists, and it's relatively easy to address. The more challenging aspect of this exploit lies in the social engineering required, specifically, convincing a victim to ssg a malicious Dioxus app using the IP address of an attacker-controlled machine:

IP=malicious-ip PORT=3000 dx build --release --ssg

For example, an attacker, disguised as a recruiter, could trick a job seeker into downloading a vulnerable Dioxus app, running the above command, and completing an assigned task, potentially hiding the malicious IP within a script (e.g. make build).

is not a valid security vector. The statement

For example, an attacker, disguised as a recruiter, could trick a job seeker into downloading a vulnerable Dioxus app,

is equivalent to saying "if you download malware, dioxus might interact with the malware." If you download malware, we cannot help you.

@jkelleyrtp jkelleyrtp closed this May 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Security]: SSRF in CLI SSG Loop
2 participants